What are you hiding, Gotham City Research asks Criteo. Says the company is destroying evidence

Attempts by Criteo to circumvent Apple’s new privacy settings have put the company on a collision course with regulators in the US and Europe according to a new report, whose authors also accuse the French digital giant of attempting to cover its tracks and remove evidence of its workarounds.

The performance marketer’s shares fell today after another hostile report from Gotham City Research, a private due diligence investment group that is shorting the stock. As a shorter of the stock GCR gains when Criteo falls.

GCR has a history of successfully tracking ad tech companies. Its founder Daniel Yu told Which-50 earlier this year that it has followed the performance of ad techs in the past including Blucora, Blinkx, and Retailmenot as well as some ad agencies. The point he was making what that Gotham City Research understands the ad tech world, hence its interest in Criteo.

This is the third report published by the group on the company and is the latest in a series of damning indictments of Criteo’s business practices that go back several years and at one stage including litigation with another ad tech business – Steel House – where each accused the other of fraud. The parties settled out of court.

Among the key findings of this new report;

In trying to circumvent Apple’s new privacy features the company has put itself in violation of section 5 of the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

Apple is working on defeating Criteo’s privacy abuses, based on Apple’s response to us from ~1 week ago.

Criteo’s user tracking & consent practices are in violation of coming European regulation (GDRP, article 7 recital 32) in May 2018, and will face fines of up to 4 per cent of revenues.

Criteo’s acts of desperation show that Apple’s ITP is a game changer for Criteo and other ad targeting firms.

Most advertisers, including Criteo clients, would not risk losing the trust of their customers by employing nefarious tracking mechanisms like super cookies.

Perhaps the most series accusation in the new report is that Criteo’s workaround to circumvent Apple’s privacy features in Safari “…is being used in violation 5 of the FTC Act.”

Criteo again attacked the claims by Gotham City Research. In a statement provided to Which-50 Criteo said, ” Once again, the allegations published by Gotham City include a number of false claims directed at Criteo and demonstrate a continued and fundamental lack of understanding of our business and technology. Criteo has been open with our clients about this solution, which provides full transparency and control to Safari users – and we do not collect any information before users enable Criteo’s cross-site tracking technology.”

“Full disclosure is provided and users can choose to click directly into our learn more page. Once our cross-site tracking technology is enabled, users are provided with another opportunity to change their mind. Users can visit our privacy policy page at any time to change their settings. The technology also fully respects and enforces consumers opt-out choice by stopping all data collection cross-site tracking for opt-out users and removing all associated technical identifiers and previously collected data.”

And as it has done in the past, Criteo criticised its accusers for not seeking their comment before publication, “As with their prior reports, the author failed to seek clarification from Criteo regarding any of their claims before writing the report. Criteo, in line with our policy, will not comment further on market rumor and speculation.”

Once again as its practice (and its right) Criteo has not addressed the specific questions we asked* about whether their technology puts the company at odds with laws in the US and the EU however by emphasizing the opt-out provisions of its approach its denial is a little more specific that in the past. *Our questions are published at the end of this article

To a large extent, Criteo’s strategy of ignoring its critics is paying dividends. While its shares fall with each new revelation, they typically recover once the spotlight moves on. And the company is largely getting a free pass in its home market, France where it is considered a star of the local digital sector. Industry opinion there is supportive. For instance, a few days prior to the latest GCR report, Gauthier Picquet, CEO of Publicis Media France was quoted in the publication JDN, dismissing the previous revelations.

He told reporter Nicolas Jaimes, “I have a fairly clear opinion on this case and I find that the Gotham City Research report was completely burdened. One must be able to support his accusations when the consequences are as important as a sharp drop in the stock market . Of course, there is a real stake in transparency because the market is not enough. But the arguments that were stretched in this particular case were not [enough].”

Of course, Criteo’s problems extend beyond the GCR scrutiny.

After Criteo disclosed its exposure to Apple’s Intelligent Tracking Prevention on the latest IOS update, the company’s stock tanked because the scale of its problem was much bigger than first anticipated. A number of financial analysts also ended coverage of the stock.

Trouble ahead?

Now according to GCR the latest Criteo workaround to Apple’s ITP puts the company at risk of prosecuting under the FTC ACT.

The authors of the report say “…a Criteo Japan webpage on Sept. 20 included some details about its Apple workaround but destroyed it 1 day later.” And they note there is no mention of Criteo’s Apple workaround (the HSTS super cookies) in the public domain.

“One word buried within a Criteo Japan webpage released September 20th and promptly deleted September 21st gives us the answer: HSTS (“HTTP Strict Transport Security”). Criteo and HSTS are not mentioned in the same sentence anywhere else in the public domain, other than in copies of the deleted Criteo Japan webpage,” says the GRC report. Later in the report GCR notes that an email Criteo sent to clients used almost identical language to the Japan Criteo web page. (This, incidentally also shows that some Criteo clients are now sharing information with Gotham City Research).

The authors then write, “We believe Criteo’s usage of HSTS Super cookies is not only dangerous, but illegal. This would explain Criteo’s HSTS coverup. Criteo’s acts of desperation show that Apple’s ITP is a game changer.”

So what’s the deal with the HSTS Super cookie?

GCR says the HSTS protocol was not originally designed for surveillance purposes: but was rather intended to enhance web browsing security. “It is only by abusing the HSTS cache, can HSTS be used for tracking users and their browsing behaviour,” according to a security expert quoted in the report named Lachlan Kang.

The problem with the approach for users is that once Criteo inserts the super cookie, any third party can track users, using the super cookie inserted by Criteo, say the authors. “This makes them far more dangerous than standard cookies, as standard cookies inserted by Criteo can only be read by Criteo… Even if users were to opt out of Criteo tracking in the future, unauthorized third parties can continue tracking them.”

GCR then asserts, “Companies that resort to dangerous and illegal methods – like supercookies – to sustain profits, are not working from a position of strength, but desperation. And desperation often leads to bad judgment, and/or fraud. Criteo’s usage of HSTS super cookies seems particularly brazen, given that we believe their behaviour is illegal, which we discuss in greater detail later in this report.”

Furthermore, GCR says there are similarities between Criteo’s behaviour today and that of Turn inc., “who settled with the FTC last year for abusing super cookies.”

They argue that FTC concerned itself not just with the intrusiveness of Turns’ usage of supercookies but also with what it says where the misleading and/or false disclosures regarding them.

And Gotham also asserts that Criteo’s clients may face their own legal scrutiny from its customers stemming from Criteo’s use of super cookies.

UPDATE: This article has been updated to include Criteo’s response.

*Our questions to Criteo;

1. Does Criteo’s Apple ITP workaround – the HSTS (HTTP Strict Transport Security) super cookie violate Section 5 of the FTC Act or does Criteo deny the specific accusation contained in the Gotham City Research report about the use of supercookies? If so why did the Japan Criteo website suggest otherwise?

2. Are Criteo’s user tracking & consent practices are in violation of coming European regulation (GDRP, article 7 recital 32) in May 2018, which could result in fines of up to 4% of revenues.

The Author

Andrew Birmingham

Andrew Birmingham is the editor-in-chief and publisher of Which-50. He is the former associate publisher of The Australian Financial Review and remains a contributing editor, and during his career he has reported on the Australian media, technology, finance, life science and related sectors over a period spanning 20 years. His work has been published by The AFR, The Australian, The Sydney Morning Herald, The Age, MIS, Computerworld, CIO, ARN, Network World, CRN Australia, and My Business.

Join the digital transformation discussion and sign up for the Which-50 Irregular Insights newsletter.

2018 Reader Survey

Which-50 Magazine

Must Reads

Reports surfaced this month that the Commonwealth Bank is facing legal action over the accessibility of its point of sale eftpos machine known as ‘Albert’. The news stands as a stark reminder that even the biggest companies, those with resources, compliance expertise – and according to the CBA – the